Trying to “root” a Chinese IP cam (Wansview Q5). How could I find all the paths on its mysterious HTTP server? – Digitalmunition




Home Forums Trying to “root” a Chinese IP cam (Wansview Q5). How could I find all the paths on its mysterious HTTP server?

This topic contains 1 reply, has 2 voices, and was last updated by  Silver_Python 1 month, 2 weeks ago.

  • Author
    Posts
  • #292027

    anonymous
    Participant

    I bought a Wansview Q5 to have a go at attacking an IoT device and nmap shows some interesting things. There is a HTTP server, despite the Q5 not having any managed web interface. There is also an RTSP server, which isn’t worth noting because RTSP is an officially supported thing. There is also a port open at 65000 but I couldn’t find anything about it and doing a MITM + packet capture showed that it was never used.

    I’d like to focus on the HTTP server since I don’t think it should really be there. Just going to the IP shows a 403 forbidden page. There was no sitemap.xml or robots.txt. Is there a way of seeing if anything exists on the server?

    Here is the zenmap result (in XML): https://termbin.com/tw3a

  • #292028

    Silver_Python

    This post may give you some pointers about the HTTP service:

    Looks like it’s used by the app to control camera functions. The lighttpd version doesn’t seem to have any known code execution or other features unfortunately.

    Perhaps you could MITM the traffic and try to get a copy of its firmware for further analysis, as that’ll tell you a lot more about what’s happening under the hood. You could also open it up and find the serial interface to see if it exposes a usable console.

    Edit 2: I should read more carefully! ~~The TCP 65000 port looks like it’s returning RTSP related traffic. Try getting a video stream from it perhaps and see if it works.~~

You must be logged in to reply to this topic.